npm · Malicious package advisory
Malwarenotify-utilities
MAL-2026-10158
Malicious code in notify-utilities (npm)
Details
---
_-= Per source details. Do not edit below this line.=-_
## Source: amazon-inspector (25536516e16cffdc7ad2891886d7dcf32ad325b9ba79c2359026809bcfbf417f)
Package published as notify-utilities masquerades as the pino logger (package.json description, keywords, and index.d.ts are copied from pino; the exported factory is named `pino`). When a consumer requires the package and invokes the exported factory, index.js spawns lib/vcall.js as a detached, unref'd Node child process. That child performs `axios.get('https://api.jsonsilo.com/public/df71fd55-4f0c-4326-9b5b-a285e38023a5')`, extracts `response.data.model` as a JavaScript source string, constructs a function from it via `new Function.constructor('require', src)`, and invokes the resulting handler with the live `require`, giving the fetched code full module-loading access inside the installer's Node process. The remote source is a third-party JSON storage service under attacker control; the fetched content is mutable and not tied to any publisher signature or version pin. The detached+unref child pattern is used to keep the fetch-and-eval alive after the factory's synchronous return, hiding the ongoing remote execution from the calling process.
Compromised versions (1)
- 1.3.5
Any computer that installed or ran a compromised version should be considered fully compromised. Rotate every secret on that machine from a clean environment.